Only cooperation will make us less vulnerable

But just as these stories are slapping already beleaguered IT security guys right in the kisser, another tale is evolving which might provide a long-awaited antidote to the sting: vendors are admitting they must do more to secure their software.

The National Cyber Security Partnership (NCSP), a consortium of business and technology groups, has been formed to develop shared standards and programs to better secure the U.S.'s critical information infrastructure. It recently released draft strategies which, taken together, offer a long-term plan to reduce software vulnerabilities. These were offered by several of its working groups, which cover technical standards/common criteria, research, corporate governance and more.

As well as encouraging the government and users to demand the certification of security management products, and advocating that vendors, user groups and consumers work with the National Institute of Standards and Technology to develop stronger baseline policies for various IT environments, the group is recommending a host of other interesting items on a 'to do' list. It wants testing of software security during initial design stages, strong out-of-the-box security configurations for products, more and stronger security checklists and recommendations provided with products and, particularly, that industry collaborates to develop sets of standards "for using recommended security equipment, and best practices for understanding, designing and implementing secured IP network infrastructures."

If the recommendations are one day followed and championed by vendors, government and other industry players, many of the attacks leveraging system holes would be minimized drastically. But it's going to take a long time and a lot of cooperation to get there. Let's hope the vendor members will commit for the long-term.

The NCSP is seeking from the public a review of the suggestions made, in addition to some specific advice on how the industry can adopt and implement the recommendations. Email Leslie Saul Garvin on lsaul@technet.org. You can learn more and get a copy of the recommendations at www.cyberpartnership.org.

And while you're doing that, you should also hit SC Magazine's website. To continue sending you a complimentary subscription of the magazine, we need you to renew once a year. So renew online at www.e-circ.net/isn/isnsub.asp. And thanks kindly for reading.